Bug 1573737

Summary: LWP should use a CONNECT tunnel for HTTPS requests when using a proxy
Product: Red Hat Enterprise Linux 7 Reporter: Petr Pisar <ppisar>
Component: perl-libwww-perlAssignee: perl-maint-list
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.5CC: providing
Target Milestone: rcKeywords: FutureFeature, Patch, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1573132 Environment:
Last Closed: 2019-11-21 15:13:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1573132    
Bug Blocks:    
Attachments:
Description Flags
Upstream fix
none
Fix ported to 6.05 none

Description Petr Pisar 2018-05-02 07:47:01 UTC 
+++ This bug was initially created as a clone of Bug #1573132 +++
[...]
--- Additional comment from  on 2018-04-30 13:04:28 GMT ---

I will explain our usage:
We do have perl scripts, that connect via http proxy towards a https servers. For this CONNECT method is required to be used. The delivered version does not accept this and is sending 'GET https://<host>' which is correctly answered by proxy with 501 - not implemented.

We had these perl scripts running successfully on debian and found now, they are not working in RHEL. We drilled it down to the updates made with this commit for LWP-Protocol-https https://github.com/libwww-perl/LWP-Protocol-https/commit/ec57b73f6a73135f37fbc147bbae99ab8d20b9aa and the corresponding patch in libwww-perl you mentioned as requirement https://github.com/libwww-perl/libwww-perl/commit/cb80c2ddb70dff2f892ade86d2aa5ce4939442f8

--- Additional comment from Petr Pisar on 2018-05-02 07:41:08 GMT ---

According to "5.3.2. absolute-form" section of RFC 7230, clients can pass an absolute URL to a non-CONNECT method when talking to a proxy <https://tools.ietf.org/html/rfc7230#section-5.3.2>:

[...]

Technically it's an issue with your proxy that does not fully implement RFC 7230.

However, I can imagine that it can be a security concern if a client needs end-do-end encryption. And also in your case a compatibility issue.

[...]

Affected packages:

perl-LWP-Protocol-https-6.04-4.el7.noarch
perl-libwww-perl-6.05-2.el7.noarch

--- Additional comment from Petr Pisar on 2018-05-02 07:42 GMT ---

perl-libwww-perl fix requires a change in perl-LWP-Protocol-https (bug #1573132).
Comment 1 Petr Pisar 2018-05-02 07:48:03 UTC 
Created attachment 1429746 [details]
Upstream fix
Comment 5 Petr Pisar 2019-08-07 16:41:37 UTC 
Created attachment 1601457 [details]
Fix ported to 6.05
Comment 6 Petr Pisar 2019-11-21 15:13:09 UTC 
Red Hat does not plan to add this feature into Red Hat Enterprise Linux 7 and recommends you to move to Red Hat Enterprise Linux 8 that contains this feature.